The CISO Perspective: Putting lessons from WannaCrypt into practice to avoid future threats

Last month, customers and companies around the world were impacted by the WannaCrypt ransomware attack. Even those not impacted are assessing their risk and taking steps to help prevent such attacks. For everyone, including Microsoft, the attack is a stark reminder of the need for continued focus on security and proven operational techniques. So, after many conversations with my peers in the industry about the attacks in recent weeks and the steps we are each taking to better protect our environments, I wanted to share the common themes that have emerged. I’ve included best practices, technologies and links to more information.

This list is by no means exhaustive, but I hope it is a helpful starting point for those looking for more guidance on how to help protect their environments from present and future threats:

Implement robust update deployment technologies and operational practices so you can deploy updates as consistently and quickly as possible. Companies with complex deployment needs might consider working with IBM BigFix, Landesk/Ivanti, or Microsoft’s System Center Configuration Manager. Our customers can use Windows Update and Windows Update for Business, free of charge. (This is a multi-faceted issue so I’ve added more thoughts below.)

Limit the impact of email as an infection vector. This is particularly important given that more than 90% of cyberattacks start with a phishing email. Developing strong user education and awareness programs can help individual employees identify and avoid phishing emails. Barracuda, FireEye, and Office 365’s Exchange Online Protection and Advanced Threat Protection all provide technology to help prevent phishing and spam emails and other links to malware from getting through to your users.

Ensure the broad deployment of up-to-date anti-malware software. Solutions from industry partners like those in the Microsoft Active Protections Program, as well as technologies like Windows Defender and Advanced Threat Protection, can help protect users and systems from attacks and exploits.

Implement protected backups in the cloud or on-premises, also known as a data protection service. Having multiple versions of your data backed up and protected by measures such as dual factor authentication is a critical layer of protection to help prevent ransomware or malware from compromising your data. Companies can look to vendors like NetApp, CommVault, or Microsoft with Azure Backup for solutions.

Implement multi-factor authentication to protect user identities and minimize the probability of unauthorized access to company resources and data with technologies like RSA SecurID, Ping Identity, Microsoft Authenticator and Windows Hello.

Improve your team’s situational awareness and response capability across your enterprise all the way to the cloud. Cybersecurity attacks are increasingly complex, so businesses need a holistic view of their environment, vulnerability, real-time threat detection, and ideally, the ability to quarantine compromised users and systems. Several companies offer cutting edge capabilities in this regard, including Qualys, Tenable, Rapid7 and Microsoft’s own Azure Security Center and Windows Defender Advanced Threat Protection (WDATP).

Store and analyze your logs to track where an infection starts, how far into your enterprise it went and how to remediate it. Splunk, ArcSight, IBM and Microsoft with our Operations Management Suite – Security all offer capabilities in this area.

Keeping systems up to date is critical so I want to share a few more thoughts about how we approach it as part of our overall security posture. First, there is no one-size-fits-all strategy. A comprehensive approach to operational security – with layers of offense and defense – is critical because attackers will go after every chink in your armor they can find. That said, updating can be difficult in complex environments, and admittedly no environment is 100% secure, but keeping your software up to date is still the number one way to stay secure in a world of motivated attackers and constantly evolving threats.

In terms of how we approach patching and updating at Microsoft, I’m fortunate to have passionate teams working around the clock to limit the impact of infections and update vulnerable systems as quickly as possible. I also know that the Windows team works hard to ensure that they consistently deliver high quality updates that can be trusted by hundreds of millions of users. They conduct thousands of manual and automated tests that cover the core Windows functionality, the most popular and critical applications used by our customers, and the APIs used by our broad ecosystem of Windows apps and developers. The team also reasons over the data, problem and usage reports received from hundreds of millions of devices and triages that real world usage information to proactively understand and fix application compatibility issues as quickly as possible. With all of this context in mind, I want to acknowledge that even more work is needed to make updates easier to deploy and we have teams across the company hard at work improving the experience.

Whether you are a vendor like Microsoft or one of the billions of businesses who count on IT to function, security is a journey, not a destination. That means constant vigilance is required. I hope you find this information helpful on your own journey and as you assess you readiness in light of recent attacks.

You can read more about the WannaCrypt attack in the MSRC Blog, as well as Microsoft President Brad Smith’s perspective on the need for collaboration across industry, government and customers to improve cybersecurity. Visit our Get Secure, Stay Secure page regularly for additional guidance, including new insights on ransomware prevention in Windows 10.